I have a setup with two ipa server in replica, based on CentOS 7.
On one server (since a couple of days) ipa cannot start, the failing
is dirsrv@<REALM-NAME>.service.
In journal I have:

ns-slapd[4617]: segfault at 7fb53b1ce515 ip 00007fb50126e1a6sp
00007ffc0b80d6c8 error 4 in[7fb501124000+1b7000]

(just after a lot of SSL alerts complaining about some enabled
cypher suite,
but I cannot say if this could be related).

I'm using ipa 4.2.0, and 389-ds-base 1.3.4.

It would be good to know the exact version.
rpm -q 389-ds-base

Installed version is:


Please provide backtrace or coredump; other developers will know
wheter it's know bug or a new bug.

Ok, you can find attached full stacktrace.
It's crashing trying to read updates from the replication changelog.

Are you using attribute encryption?
Any chance you have a way to reproduce this?

Since this is happening on only one server then I think recreating the
replication changelog will "fix" the issue.  Just re-initializing that
replica should do it.  Does this server start - so it can be reinited?
If not, you need to manually remove the changelog and start the
directory server, and reinit it.  Or perform a manual ldif
initialization.  (I can help with either one if needed)

No, directory server can't start, so I think I have to manually remove
the changelog.
Probably best:

Its under /var/lib/dirsrv/slapd-INSTANCE/db/changelog  (something like that)

Any help is obviously welcome.
BTW: Do you confirm I won't lose data on second (working) server doing
removal of changelog?
Well the changelog appears to be hosed.  So if something is lost, its
already lost and is not recoverable.  As long as you have another master
you are okay, and IPA only creates masters so you should be good.

Thank you Mark,
I moved away and recreated entire /var/lib/dirsrv/slapd-INSTANCE/db/changelog directory, rebooted server and now it's up and running!

Thank you again.


